diff -Nur moin-1.5.8/MoinMoin/user.py moin-1.5.8.new/MoinMoin/user.py
--- moin-1.5.8/MoinMoin/user.py	2006-10-08 23:06:37.000000000 +1000
+++ moin-1.5.8.new/MoinMoin/user.py	2007-11-15 17:21:35.000000000 +1000
@@ -366,6 +366,9 @@
         changed = 0
 
         if check_pass:
+	    # Disabled users can't be validated even if they know the password
+	    if self.disabled:
+	        return
             # If we have no password set, we don't accept login with username
             if not user_data['enc_password']:
                 return
diff -Nur moin-1.5.8/MoinMoin/auth.py moin-1.5.8.new/MoinMoin/auth.py
--- moin-1.5.8/MoinMoin/auth.py	2007-02-08 00:31:27.000000000 +1000
+++ moin-1.5.8.new/MoinMoin/auth.py	2007-11-15 17:20:34.000000000 +1000
@@ -150,6 +150,9 @@
         u = user.User(request, id=cookie['MOIN_ID'].value,
                       auth_method='moin_cookie', auth_attribs=())
 
+	if not u.valid:
+	    return user_obj, True
+
         if logout:
             u.valid = 0 # just make user invalid, but remember him